End-to-End Network Security: Defense-in-Depth (Paperback)
內容描述
Description
End-to-End Network Security
Defense-in-Depth
Best practices for assessing and improving network
defenses and responding to security incidents
Omar Santos
Information security practices have evolved from
Internet perimeter protection to an in-depth defense model in which multiple
countermeasures are layered throughout the infrastructure to address
vulnerabilities and attacks. This is necessary due to increased attack
frequency, diverse attack sophistication, and the rapid nature of attack
velocity–all blurring the boundaries between the network and perimeter.
End-to-End Network Security is designed to
counter the new generation of complex threats. Adopting this robust security
strategy defends against highly sophisticated attacks that can occur at
multiple locations in your network. The ultimate goal is to deploy a set of
security capabilities that together create an intelligent, self-defending
network that identifies attacks as they occur, generates alerts as
appropriate, and then automatically responds.
End-to-End Network Security provides you with a
comprehensive look at the mechanisms to counter threats to each part of your
network. The book starts with a review of network security technologies then
covers the six-step methodology for incident response and best practices from
proactive security frameworks. Later chapters cover wireless network security,
IP telephony security, data center security, and IPv6 security. Finally,
several case studies representing small, medium, and large enterprises provide
detailed example configurations and implementation strategies of best
practices learned in earlier chapters.
Adopting the techniques and strategies outlined in this
book enables you to prevent day-zero attacks, improve your overall security
posture, build strong policies, and deploy intelligent, self-defending
networks.
“Within these pages, you will find many practical
tools, both process related and technology related, that you can draw on to
improve your risk mitigation strategies.”
–Bruce Murphy, Vice President, World Wide Security
Practices, Cisco
Omar Santos is a senior network security engineer at
Cisco®. Omar has designed, implemented, and supported numerous secure networks
for Fortune 500 companies and the U.S. government. Prior to his current role,
he was a technical leader within the World Wide Security Practice and the
Cisco Technical Assistance Center (TAC), where he taught, led, and mentored
many engineers within both organizations.
Guard your network with firewalls, VPNs, and intrusion prevention
systems
Control network access with AAA
Enforce security policies with Cisco Network Admission Control (NAC)
Learn how to perform risk and threat analysis
Harden your network infrastructure, security policies, and procedures
against security threats
Identify and classify security threats
Trace back attacks to their source
Learn how to best react to security incidents
Maintain visibility and control over your network with the SAVE
framework
Apply Defense-in-Depth principles to wireless networks, IP telephony
networks, data centers, and IPv6 networks
This security book is part of the Cisco Press®
Networking Technology Series. Security titles from Cisco Press help networking
professionals secure critical data and resources, prevent and mitigate network
attacks, and build end-to-end self-defending networks.
Table of Contents
Foreword xix
Introduction xx
Part I
Introduction to Network
Security Solutions 3
Chapter 1
Overview of Network
Security Technologies 5
Firewalls 5
Network Firewalls 6
Network Address
Translation (NAT) 7
Stateful Firewalls 9
Deep Packet Inspection
10
Demilitarized Zones 10
Personal Firewalls 11
Virtual Private Networks
(VPN) 12
Technical Overview of
IPsec 14
Phase 1 14
Phase 2 16
SSL VPNs 18
Intrusion Detection
Systems (IDS) and Intrusion Prevention Systems (IPS) 19
Pattern Matching 20
Protocol Analysis 21
Heuristic-Based Analysis
21
Anomaly-Based Analysis
21
Anomaly Detection Systems
22
Authentication,
Authorization, and Accounting (AAA) and Identity Management 23
RADIUS 23
TACACS+ 25
Identity Management
Concepts 26
Network Admission Control
27
NAC Appliance 27
NAC Framework 33
Routing Mechanisms as
Security Tools 36
Summary 39
Part II
Security Lifestyle:
Frameworks and Methodologies 41
Chapter 2
Preparation Phase 43
Risk Analysis 43
Threat Modeling 44
Penetration Testing 46
Social Engineering 49
Security Intelligence
50
Common Vulnerability
Scoring System 50
Base Metrics 51
Temporal Metrics 51
Environmental Metrics
52
Creating a Computer
Security Incident Response Team (CSIRT) 52
Who Should Be Part of the
CSIRT? 53
Incident Response
Collaborative Teams 54
Tasks and Responsibilities
of the CSIRT 54
Building Strong Security
Policies 54
Infrastructure Protection
57
Strong Device Access
Control 59
SSH Versus Telnet 59
Local Password Management
61
Configuring Authentication
Banners 62
Interactive Access Control
62
Role-Based Command-Line
Interface (CLI) Access in Cisco IOS 64
Controlling SNMP Access
66
Securing Routing Protocols
66
Configuring Static Routing
Peers 68
Authentication 68
Route Filtering 69
Time-to-Live (TTL)
Security Check 70
Disabling Unnecessary
Services on Network Components 70
Cisco Discovery Protocol
(CDP) 71
Finger 72
Directed Broadcast 72
Maintenance Operations
Protocol (MOP) 72
BOOTP Server 73
ICMP Redirects 73
IP Source Routing 73
Packet
Assembler/Disassembler (PAD) 73
Proxy Address Resolution
Protocol (ARP) 73
IDENT 74
TCP and User Datagram
Protocol (UDP) Small Servers 74
IP Version 6 (IPv6) 75
Locking Down Unused Ports
on Network Access Devices 75
Control Resource
Exhaustion 75
Resource Thresholding
Notification 76
CPU Protection 77
Receive Access Control
Lists (rACLs) 78
Control Plane Policing
(CoPP) 80
Scheduler
Allocate/Interval 81
Policy Enforcement 81
Infrastructure Protection
Access Control Lists (iACLs) 82
Unicast Reverse Path
Forwarding (Unicast RPF) 83
Automated Security Tools
Within Cisco IOS 84
Cisco IOS AutoSecure
84
Cisco Secure Device
Manager (SDM) 88
Telemetry 89
Endpoint Security 90
Patch Management 90
Cisco Security Agent (CSA)
92
Network Admission Control
94
Phased Approach 94
Administrative Tasks
96
Staff and Support 96
Summary 97
Chapter 3
Identifying and
Classifying Security Threats 99
Network Visibility 101
Telemetry and Anomaly
Detection 108
NetFlow 108
Enabling NetFlow 111
Collecting NetFlow
Statistics from the CLI 112
SYSLOG 115
Enabling Logging (SYSLOG)
on Cisco IOS Routers and Switches 115
Enabling Logging Cisco
Catalyst Switches Running CATOS 117
Enabling Logging on Cisco
ASA and Cisco PIX Security Appliances 117
SNMP 118
Enabling SNMP on Cisco IOS
Devices 119
Enabling SNMP on Cisco ASA
and Cisco PIX Security Appliances 121
Cisco Security Monitoring,
Analysis and Response System (CS-MARS) 121
Cisco Network Analysis
Module (NAM) 125
Open Source Monitoring
Tools 126
Cisco Traffic Anomaly
Detectors and Cisco Guard DDoS Mitigation
Appliances 127
Intrusion Detection and
Intrusion Prevention Systems (IDS/IPS) 131
The Importance of
Signatures Updates 131
The Importance of Tuning
133
Anomaly Detection Within
Cisco IPS Devices 137
Summary 139
Chapter 4
Traceback 141
Traceback in the Service
Provider Environment 142
Traceback in the
Enterprise 147
Summary 151
Chapter 5
Reacting to Security
Incidents 153
Adequate Incident-Handling
Policies and Procedures 153
Laws and Computer Crimes
155
Security Incident
Mitigation Tools 156
Access Control Lists (ACL)
157
Private VLANs 158
Remotely Triggered Black
Hole Routing 158
Forensics 160
Log Files 161
Linux Forensics Tools
162
Windows Forensics 164
Summary 165
Chapter 6
Postmortem and Improvement
167
Collected Incident Data
167
Root-Cause Analysis and
Lessons Learned 171
Building an Action Plan
173
Summary 174
Chapter 7
Proactive Security
Framework 177
SAVE Versus ITU-T X.805
178
Identity and Trust 183
AAA 183
Cisco Guard Active
Verification 185
DHCP Snooping 186
IP Source Guard 187
Digital Certificates and
PKI 188
IKE 188
Network Admission Control
(NAC) 188
Routing Protocol
Authentication 189
Strict Unicast RPF 189
Visibility 189
Anomaly Detection 190
IDS/IPS 190
Cisco Network Analysis
Module (NAM) 191
Layer 2 and Layer 3
Information (CDP, Routing Tables, CEF Tables) 191
Correlation 192
CS-MARS 193
Arbor Peakflow SP and
Peakflow X 193
Cisco Security Agent
Management Console (CSA-MC) Basic
Event Correlation 193
Instrumentation and
Management 193
Cisco Security Manager
195
Configuration Logger and
Configuration Rollback 195
Embedded Device Managers
195
Cisco IOS XR XML Interface
196
SNMP and RMON 196
Syslog 196
Isolation and
Virtualization 196
Cisco IOS Role-Based CLI
Access (CLI Views) 197
Anomaly Detection Zones
198
Network Device
Virtualization 198
Segmentation with VLANs
199
Segmentation with
Firewalls 200
Segmentation with
VRF/VRF-Lite 200
Policy Enforcement 202
Visualization Techniques
203
Summary 207
Part III
Defense-In-Depth Applied
209
Chapter 8
Wireless Security 211
Overview of Cisco Unified
Wireless Network Architecture 212
Authentication and
Authorization of Wireless Users 216
WEP 216
WPA 218
802.1x on Wireless
Networks 219
EAP with MD5 221
Cisco LEAP 222
EAP-TLS 223
PEAP 223
EAP Tunneled TLS
Authentication Protocol (EAP-TTLS) 224
EAP-FAST 224
EAP-GTC 225
Configuring 802.1x with
EAP-FAST in the Cisco Unified Wireless Solution 226
Configuring the WLC
226
Configuring the Cisco
Secure ACS Server for 802.1x and EAP-FAST 229
Configuring the CSSC
233
Lightweight Access Point
Protocol (LWAPP) 236
Wireless Intrusion
Prevention System Integration 239
Configuring IDS/IPS
Sensors in the WLC 241
Uploading and Configuring
IDS/IPS Signatures 242
Management Frame
Protection (MFP) 243
Precise Location Tracking
244
Network Admission Control
(NAC) in Wireless Networks 245
NAC Appliance
Configuration 246
WLC Configuration 255
Summary 259
Chapter 9
IP Telephony Security
261
Protecting the IP
Telephony Infrastructure 262
Access Layer 266
Distribution Layer 273
Core 275
Securing the IP Telephony
Applications 275
Protecting Cisco Unified
CallManager 276
Protecting Cisco Unified
Communications Manager Express (CME) 277
Protecting Cisco Unity
281
Protecting Cisco Unity
Express 287
Protecting Cisco Personal
Assistant 289
Hardening the Cisco
Personal Assistant Operating Environment 289
Cisco Personal Assistant
Server Security Policies 291
Protecting Against
Eavesdropping Attacks 293
Summary 295
Chapter 10
Data Center Security
297
Protecting the Data Center
Against Denial of Service (DoS) Attacks and Worms 297
SYN Cookies in Firewalls
and Load Balancers 297
Intrusion Prevention
Systems (IPS) and Intrusion Detection Systems (IDS) 300
Cisco NetFlow in the Data
Center 301
Cisco Guard 302
Data Center Infrastructure
Protection 302
Data Center Segmentation
and Tiered Access Control 303
Segmenting the Data Center
with the Cisco FWSM 306
Cisco FWSM Modes of
Operation and Design Considerations 306
Configuring the Cisco
Catalyst Switch 309
Creating Security Contexts
in the Cisco FWSM 310
Configuring the Interfaces
on Each Security Context 312
Configuring Network
Address Translation 313
Controlling Access with
ACLs 317
Virtual Fragment
Reassembly 322
Deploying Network
Intrusion Detection and Prevention Systems 322
Sending Selective Traffic
to the IDS/IPS Devices 322
Monitoring and Tuning
325
Deploying the Cisco
Security Agent (CSA) in the Data Center 325
CSA Architecture 325
Configuring Agent Kits
326
Phased Deployment 326
Summary 327
Chapter 11
IPv6 Security 329
Reconnaissance 330
Filtering in IPv6 331
Filtering Access Control
Lists (ACL) 331
ICMP Filtering 332
Extension Headers in IPv6
332
Spoofing 333
Header Manipulation and
Fragmentation 333
Broadcast Amplification or
Smurf Attacks 334
IPv6 Routing Security
334
IPsec and IPv6 335
Summary 336
Part IV
Case Studies 339
Chapter 12
Case Studies 341
Case Study of a Small
Business 341
Raleigh Office Cisco ASA
Configuration 343
Configuring IP Addressing
and Routing 343
Configuring PAT on the
Cisco ASA 347
Configuring Static NAT for
the DMZ Servers 349
Configuring Identity NAT
for Inside Users 351
Controlling Access 352
Cisco ASA Antispoofing
Configuration 353
Blocking Instant Messaging
354
Atlanta Office Cisco IOS
Configuration 360
Locking Down the Cisco IOS
Router 360
Configuring Basic Network
Address Translation (NAT) 376
Configuring Site-to-Site
VPN 377
Case Study of a
Medium-Sized Enterprise 389
Protecting the Internet
Edge Routers 391
Configuring the AIP-SSM on
the Cisco ASA 391
Configuring Active-Standby
Failover on the Cisco ASA 394
Configuring AAA on the
Infrastructure Devices 400
Case Study of a Large
Enterprise 401
Creating a New Computer
Security Incident Response Team (CSIRT) 403
Creating New Security
Policies 404
Physical Security Policy
404
Perimeter Security Policy
404
Device Security Policy
405
Remote Access VPN Policy
405
Patch Management Policy
406
Change Management Policy
406
Internet Usage Policy
406
Deploying IPsec Remote
Access VPN 406
Configuring IPsec Remote
Access VPN 408
Configuring Load-Balancing
415
Reacting to a Security
Incident 418
Identifying, Classifying,
and Tracking the Security Incident or Attack 419
Reacting to the Incident
419
Postmortem 419
Summary 420
Index
422